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TN THE CLAIMS; 

1-4 (Canceled) 

5. (Currently Amended) A computer-implemented method of identiiying the entry point of 
an attack upon a device protected by an intrusion detection system, the method comprising the 
steps of: 

obtaining intrusion information, from an intrusion detection system, regarding an attack 
upon a device protected by the intrusion detection system; 

obtaining network information, from network equipment connected to the device, 
regarding the attack; 

determining a logical entry point of the attack using a correlation engine to correlate the 
intrusion information and the network information; and 

identifying a physical entry point associated with the logical entry point. 

6. (Currently Amended) The computer-implemented method of claim 5, wherein the 
intrusion information includes an address. 

7. (Currently Amended) The computer-impj evented method of claim 6, wherein the 
address is a source address* 

8. (Currently Amended) The conrouter»implementcd method of claim 6, wherein the 
address is a destination address* 

9. (Currently Amended) The computer-implemented method of claim 6, wherein the 
network information includes a logical port identifier of a logical port associated with the 
address. 

10. (Currently Amended) The computer-implemented method of claim 9, wherein the step of 
detennining a logical entry point includes the step of finding, in the network information, the 
logical port identifier of the logical port associated with the address. 
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11. (Currently Amended) The computer-implemented method of claim 9, wherein the step of 
identifying a physical entry point includes the step of identifying a physical port associated with 
the logical port. 

12. (Canceled) 

13. (Canceled) 

14. (Canceled) 

15. (Currently Amended) The compeer-implemented method of claim 5, wherein the 
network equipment includes a firewall with routing function. 

16. (Currently Amended) The computer»implemented method of claim S, wherein the 
network equipment includes a network dispatcher. 

17. (Currently Amended) The computer-implemented method of claim 5, wherein the 
network equipment includes a load balancer. 

1 8. (Currently Amended) The computer-implemented method of claim 5, wherein the 
intrusion detection system includes network based intrusion detection equipment. 

1 9. (Currently Amended) The computer-implemented method of claim 5, wherein the 
intrusion detection system includes host based intrusion detection equipment. 

20. (Currently Amended) The computer-implemented method of claim 5, wherein the 
intrusion detection system includes application based intrusion detection equipment. 

2 1 . (Previously Presented) A method of identifying the entry point of an attack upon a device 
protected by an intrusion detection system, said device one of a plurality of devices connected by 
a network, the method comprising the computer-implemented steps of: 

detecting an attack on the device; 

Page 3 of 22 
Bardaley et al. - 09/9 17,368 



PAGE 5/24 1 RCVD AT 1 0f 1 3/2005 1:54:12 PM [Eastern Daylight Tone] 1 SVR:USPT0-EFXRF-6I24 ■ DNIS:2738300 ■ CSID:972 385 7766 1 DURATION (mm-ss):06<54 



Oct 13 2005 12:58PM YEE 8« ASSOCIATES, P.O. (972J 385-77G6 



p.G 



notifying a correlation engine of the attack on the device; 
obtaining intrusion information regarding the attack; 
obtaining network information regarding the attack; 

using the correlation engine, correlating the intrusion information and the network 
information to produce correlation information; 

using the correlation information, finding on the network a logical port of connection 
used by the attack; and 

mapping the logical port on the network to a physical port on the network using the 
correlation engine. 

22. (Previously Presented) The method of claim 21 comprising the further step of: 
alerting a network manager to the location of the logical port and of the physical port 

23. (Previously Presented) The method of claim 21 wherein the step of mapping is 
performed using the correlation engine. 

24. (Previously Presented) The method of claim 2 1 wherein: 
the intrusion information includes an address; and 

the network information includes a logical port identifier of a logical port associated with 
the address. 

25. (Currently Amended) An apparatus for detecting a point of an attack on a network, the 
apparatus comprising: 

network equipment for connecting a protected device to a network; 

an intrusion detection system comprising intrusion detection equipment; 

a correlation engine adapted to: 

receive a notification of an attack on the protected device; 

receive intrusion information regarding the attack; 

receive network information regarding the attack, wherein the network 
information pertains to the network; 
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correlate the intrusion information and the network information to produce 
correlation information; 

use the correlation information ta find on the network a logical port of 

connection used by the attack; and 

map the logical port on the network to a physical port on the network 
using the correlation engine. 

26. (Previously Presented) The apparatus of claim 25 further comprising: 

means for alerting a network manager to the location of the logical port and of the 
physical port. 

27, (Previously Presented) The apparatus of claim 25 wherein: 
the intrusion information includes an address; and 

the network information includes a logical port identifier of a logical port associated with 
the address. 



Page 5 of 22 
Bardsley ctaL- 09/9 17368 



PAGE 7/24* RCVD AT 10/13/2005 1:54:12 PM [Eastern Daylight Tone] ^ SVfcUSPTO-EFXRF-6/24 * DNIS:2738300 * CSID:972 385 7766 ft DURATION (mm-$$):Q6<54 



